Description
The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint (DELETE /memories/{memory_id}). The endpoint allows unauthenticated users to delete arbitrary memory records without verifying their identity or permissions. A remote attacker can exploit this by sending unauthenticated DELETE requests to remove any memory entry from the database, leading to unauthorized data loss and potential denial of service.
Published: 2026-05-12
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The mem0 1.0.0 server contains a memory deletion API endpoint (DELETE /memories/{memory_id}) that does not enforce authentication or authorization checks. Unauthenticated users can delete arbitrary memory entries, leading to unauthorized data loss and possible service denial. The flaw is a missing authentication weakness (CWE‑306) coupled with an authorization bypass (CWE‑862).

Affected Systems

The affected product is the mem0 server on version 1.0.0. No other vendors or product versions are listed in the CNA data. The vulnerability applies to any deployment of this specific version that exposes the API over a network.

Risk and Exploitability

Based on the description, it is inferred that the attack vector is remote, over HTTP, requiring only network connectivity to the API. Because the endpoint accepts unauthenticated DELETE requests, exploitation is trivially achievable by any client that can reach the server. The EPSS score of <1% indicates a low exploitation probability in the broader landscape, yet the CVSS score of 6.5 reflects moderate severity due to data loss and potential service disruption. The vulnerability is not listed in the CISA KEV catalog, so there are currently no publicly known exploits reported.

Generated by OpenCVE AI on May 13, 2026 at 18:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade mem0 to a version that implements authentication and authorization on the memory deletion endpoint.
  • If an upgrade is not immediately possible, constrain access to the server by restricting inbound traffic to trusted hosts or networks using firewall rules or a VPN.
  • Add application‑level authentication middleware to the DELETE /memories/{memory_id} endpoint and enforce fine‑grained permission checks before allowing deletion.

Generated by OpenCVE AI on May 13, 2026 at 18:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Mem0
Mem0 mem0
CPEs cpe:2.3:a:mem0:mem0:1.0.0:*:*:*:*:*:*:*
Vendors & Products Mem0
Mem0 mem0

Wed, 13 May 2026 18:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Memory Deletion in mem0 Server

Wed, 13 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Deletion of Memory Records in mem0 Server
Weaknesses CWE-269
CWE-284

Wed, 13 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-306
CWE-862
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Mem0ai
Mem0ai mem0
Vendors & Products Mem0ai
Mem0ai mem0

Tue, 12 May 2026 20:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Deletion of Memory Records in mem0 Server
Weaknesses CWE-269
CWE-284

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Description The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint (DELETE /memories/{memory_id}). The endpoint allows unauthenticated users to delete arbitrary memory records without verifying their identity or permissions. A remote attacker can exploit this by sending unauthenticated DELETE requests to remove any memory entry from the database, leading to unauthorized data loss and potential denial of service.
References

Subscriptions

Mem0 Mem0
Mem0ai Mem0
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-13T13:27:43.240Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31244

cve-icon Vulnrichment

Updated: 2026-05-13T13:27:39.528Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T18:16:52.897

Modified: 2026-05-14T18:38:33.120

Link: CVE-2026-31244

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T18:30:46Z

Weaknesses